Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Single unauthenticated network request creates a full admin account (PR:N/UI:N/AC:L), granting complete control over the application, so confidentiality, integrity, and availability are all High.
Primary rating from Vendor (github).
CVSS VectorVendor: github
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
FOSSBilling is a free, open-source billing and client management system. Versions 0.7.2 and prior expose a guest API endpoint, /api/guest/staff/create, intended for initial administrator bootstrap. Due to a flawed admin-existence check, the endpoint remains usable after an administrator already exists. The flawed guard check uses is_countable() on a value that returns a Model_Admin object or null rather than a countable type, causing the expression to always evaluate as true and bypass the intended protection. As a result, an attacker can reach the unprotected endpoint to create a new administrator account and immediately authenticate, gaining a fully privileged admin session even when an admin already exists. This issue has been fixed in version 0.8.0.
AnalysisAI
Authentication bypass in FOSSBilling 0.7.2 and earlier lets remote unauthenticated attackers create a fully privileged administrator account through the guest bootstrap endpoint /api/guest/staff/create, which fails to lock after the first admin exists. Because the account can immediately authenticate, this yields complete takeover of the billing and client-management platform. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The required condition is simply that a FOSSBilling instance at version 0.7.2 or earlier is network-reachable with the guest API enabled and the /api/guest/staff/create endpoint accessible - the default state of an installed instance. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | All available signals point to high real-world risk for exposed instances. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker discovers an internet-exposed FOSSBilling instance (0.7.2 or earlier) and sends a single crafted POST request to /api/guest/staff/create supplying their own chosen credentials. Despite an administrator already existing, the broken guard accepts the request and creates a new admin account, after which the attacker logs in to obtain a fully privileged admin session and controls billing data, customers, and configuration. … |
| Remediation | Vendor-released patch: upgrade to FOSSBilling 0.8.0, which corrects the admin-existence check and refactors the guest API routes to expose less publicly. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Immediately restrict network access to FOSSBilling instances (firewall/VPN only) or deploy WAF rules blocking POST requests to /api/guest/staff/create. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39096